Get the latest security news in your inbox.

A client asked the other day for guidance on best practices regarding how often they ought to patch their systems. My immediate thought was “continuously.” However, most small to mid-sized enterprises don’t have the resources for that.

If you go to a source such as the Center for Internet Security they talk about patching as a critical security control and say you need a formalized program of patch management to “regularly update all apps, software, and operating systems.” But they don’t say much about how or how often this should be done.

Patching Frequency Best Practices from DoD

So, I hearkened back to the days when I was performing security audits for the Army. I probably did more than 500 of these on every type of system – from a small, rack-mounted tactical command & control server in the back of a Humvee to a 350,000-user wide area network in all 50 states. I started in the 1990s with the Department of Defense (DoD) Information Technology Security Certification & Accreditation Process (DITSCAP), and then moved to the DoD Information Assurance Certification and Accreditation Process (DIACAP), and finally the Risk Management Framework (RMF) that is in use today.

Typically, whenever we assessed those Army systems, if they had any missing patches or antivirus updates for more than a week, we would fail them. But when I researched this recently, I couldn’t find an Army or DoD reference to support this timeframe. You would think the DoD would have a best practice in place for that!

The STIGs serve as the reference guides for all of DoD and represent what I would call “high assurance” best practices. In fact, we used to joke that if you followed all of the STIG guidance, you would “brick” your system! There is, of course, always a tradeoff between system security and usability.

Upon examining all of these, I found that they actually provide varying advice on patching/update frequency – based on the criticality of the system, level of data being processed, or criticality/impact of the patches to be implemented.

The current objective for all patching in the DoD, according the Cybersecurity Discipline Implementation Plan, dated February 2016 is: “All DoD information systems have current patches within 21 days of IAVA patch release.” In addition: “Systems with high risk security weaknesses that are over 120 days overdue will be removed from the network.”

Note that an IAVA is an Information Management Vulnerability Alert, which generally starts at the US Computer Emergency Response Team (CERT) level, and then is promulgated down to US Cyber Command and the Cyber Commands of the military service branches. These represent the most critical vulnerabilities for which all US government systems must be patched. We can also use this as a best practice for anyone running a high-security commercial system.

To summarize DoD guidance / best practices on security patching and patch frequency:

You must apply security patches in a timely manner (the timeframe varies depending on system criticality, level of data being processed, vulnerability criticality, etc.) in accordance with the Information Assurance Vulnerability Management (IAVM) process.

IAVM process: All systems must install all IAVAs and IAVBs (bulletins) immediately, and report back to the command within21 days.

Download and regression test the patches on a staging system (to make sure they don’t break anything) before deploying to the enterprise.

Critical vulnerabilities that have published exploit code should be given the highest severity weighting and be addressed immediately – not waiting for a patching cycle.

Organizations with an automated patch distribution mechanism often establish a short timeframe (average is about 48 hours to one week) for the testing and distribution of critical patches.

Finally, if this still sounds daunting (and it should), you may want to engage with a comprehensive Managed Security Services Provider (MSSP), such as Abacode to handle all this for you. We know IT folks don’t have the bandwidth to deal with all of this, given all their other duties just to keep the network up and running. Also, it does require continuous research to stay on top of all the latest threats and vulnerabilities. So, it makes sense to engage with someone who has the expertise and can manage this for you.

About the Author:Jeremy RasmussenJeremy Rasmussen is Chief Technology Officer of Abacode, a Tampa, Florida based company that provides managed cybersecurity services for growing businesses across all industries. Abacode employs global thought leaders and industry experts in ethical hacking, corporate governance, and incident response to provide its clients with a holistic view of cybersecurity. He is also an instructor at the University of South Florida and founder of the USF Whitehatters Computer Security Club (WCSC). Since 2000, he has taught USF courses in cryptography and network security, ethical hacking, digital forensics & investigations, and mobile & wireless security. He has more than 25 years of experience in performing R&D and developing cybersecurity solutions for government and commercial customers. Jeremy is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Project Management Professional (PMP). He was named the 2017 Tampa Bay Technology Leader of the Year.
Read more posts from Jeremy Rasmussen ›